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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

We  have  reviewed  and  evaluated  the  internal  controls  of  the  Computer 
Services  Division  and  the  Information  Systems  Division  of  the  Department 
of  Administration,  state  of  Montana.   Our  tests  included  reviews  of  the 
organizational,  operational,  input  and  output,  and  documentation  controls 
practiced  by  the  divisions.   We  also  performed  detailed  application 
reviews  of  the  Statewide  Budgeting  and  Accounting  System  and  the  Central 
Payroll  System.   The  purpose  of  our  review  was  to  test  the  overall 
integrity  of  the  state  data  processing  function. 

During  our  review,  state  data  processing  was  handled  by  the  Data 
Processing  Division.   Subsequently,  the  functions  of  the  Division  were 
reorganized  into  two  new  divisions,  the  Computer  Services  Division  and 
the  Information  Systems  Division.   Both  new  divisions  remain  part  of  the 
Department  of  Administration.   Because  our  review  was  conducted  prior  to 
this  reorganization,  the  report  refers  to  the  Data  Processing  Division 
rather  than  the  two  new  divisions.   The  functions  of  the  two  new  divisions 
are  essentially  the  same  as  the  former  Data  Processing  Division. 

Vie   were  assisted  in  our  review  by  representatives  of  Arthur  Andersen 
and  Company;  however,  the  recommendations  in  this  report  are  those  of 
the  Office  of  the  Legislative  Auditor. 

Respectfully  submitted, 

Morris  L.  Brusett,  C.P.A. 
Legislative  Auditor 


January  6,  1977 


COMMENTS 

GENERAL 

This  report  reviews  certain  operations  of  three  state  agencies: 
the  Accounting  Division  and  the  Data  Processing  Division,  both  of  which 
are  part  of  the  Department  of  Administration,  and  the  Central  Payroll 
Division,  which  is  a  part  of  the  State  Auditor's  Office.   The  first 
portion  of  the  report  discusses  the  overall  security  and  controls  of  the 
Data  Processing  Division.   These  controls  affect  all  data  processing 
users.   The  second  part  of  the  report  discusses  the  Statewide  Budgeting 
and  Accounting  System.   We  reviewed  the  pre-audit  functions  of  the 
Accounting  Division,  and  we  performed  an  application  review  to  test  the 
system's  overall  integrity.   The  third  part  of  this  report  discusses  the 
Central  Payroll  Division.   We  performed  an  application  review  of  this 
system  to  test  overall  integrity  and  effectiveness  of  controls. 
DATA  PROCESSING  DIVISION 

The  1967  Legislative  Assembly  charged  the  Department  of  Administra- 
tion with  the  responsibility  for  providing  centralized  data  processing 
services  for  the  state  of  Montana.   The  department's  first  computer,  an 
IBM-1440  purchased  in  1965,  had  a  memory  capacity  of  8000  bytes  (a  byte 
is  a  unit  of  computer  storage).   Today,  the  Data  Processing  Division 
operates  an  IBM  370-158  with  a  memory  of  1.5  million  bytes.   Computer 
machine  hours  have  risen  from  200  in  1966  to  over  3,100  in  1976. 

During  fiscal  year  1975-76,  the  Data  Processing  Division  employed 
129  full-time  equivalent  employees.   The  division  utilized  a  revolving 
fund  and  had  expenditures  of  $2,418,000  and  income  of  $2,476,000  during 
the  year.   The  entire  amount  of  income  was  from  charges  to  state  agencies 
for  computer  time  and  computer  programming  and  systems  analysis. 
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DATA  SECURITY 

Security  over  the  physical  assets  and  the  data  stored  on  tapes  or 
disks  should  be  strengthened.   Proper  security  involves  both  physical 
control,  to  prevent  destruction  or  misuse,  and  separation  of  duties  and 
information  to  prevent  misuse  or  unauthorized  changes  to  data.   Although 
proper  security  measures  are  outlined  in  the  division's  Manual  of  Standards, 
we  found  frequent  instances  where  division  personnel  were  not  complying 
with  these  standards.   In  other  instances,  such  as  the  preparation  of 
disaster  files,  the  division  has  not  issued  standards  that  are  adequate 
to  safeguard  the  data.   Many  segments  of  state  government  rely  upon  the 
data  processing  center  to  perform  tasks  critical  to  their  operations.   A 
breakdown  in  security  at  the  division  could  severely  limit  some  of  the 
functions  of  state  government.   The  division  should  ensure  that  adequate 
standards  are  developed  and  that  periodic  management  reviews  assure  the 
proper  implementation  of  those  standards. 
Fire  Procedures 

The  computer  room  and  the  adjoining  tape  library  at  the  data  process- 
ing center  are  protected  by  a  HALON  system.   This  specially  formulated 
gas  is  used  for  fire  protection  since  a  sprinkler  system  or  chemicals 
could  dair-^^e  electronic  equipment  in  extinguishing  a  fire.   Activating 
this  system  also  notifies  the  capitol  security  desk.   Although  this 
system  provides  adequate  fire  safety  for  the  computer  room  and  tape 
library,  other  fire  control  procedures  and  instructions  were  inadequate. 
Some  employees  were  unaware  of  the  location  of  fire  extinguishers  in  the 
immediate  area.   Employees  were  not  aware  of  proper  procedures  to  follow 
in  case  of  fire.   Also,  the  division's  Manual  of  Standards  for  fire 
protection  has  not  been  updated  in  over  five  years  and  contains  incorrect 
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information.   The  manual  lists  phone  numbers  and  employees  responsible 
for  fire  warning  offices  on  each  floor  of  the  Mitchell  Building.   Some 
of  the  numbers  listed  are  no  longer  in  the  Mitchell  Building.   None  of 
the  employees  contacted  was  aware  of  procedures  to  follow  in  case  of 
fire. 

Significant  amounts  of  paper  and  forms,  as  well  as  many  pieces  of 
electrical  and  mechanical  equipment,  are  used  by  the  division.  To 
ensure  the  safety  of  employees  and  to  minimize  damage  in  case  of  fire, 
the  division  should  ensure  that  all  employees  are  aware  of  proper  fire 
procedures.  The  Manual  of  Standards  should  be  frequently  updated  to 
reflect  changing  conditions,  and  employees  should  be  made  aware  of  the 
changes. 

RECOMMENDATION 

We  recommend  that  the  Data  Processing  Division  update   the  fire 
control  procedures  and  inform  all  employees  of  these  procedures. 
Access  to  Computer  Room 

Although  the  division  has  established  some  controls  to  restrict 
access  to  the  computer  room,  enforcement  of  these  controls  has  not  been 
effective.   For  example,  center  policy  requires  visitors  to  sign  in  and 
out  of  the  computer  room,  as  well  as  display  visitor  badges.   Visitor 
badges  are  not  controlled,  and  may  be  obtained  by  anyone  entering  the 
input  control  area.   Division  employees  do  not  require  identification 
from  visitors.   On  several  occasions  during  working  hours  we  found  the 
main  entry  doors  to  the  computer  room  unlocked.   On  another  occasion, 
division  employees  left  the  fire  escape  door  and  the  tape  library  doors 
open.   This  permitted  direct  access  to  the  computer  room  from  outside 
the  Mitchell  Building. 
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Employees  working  in  the  computer  room,  the  tape  library  and  the 
production  control  section  are  issued  identification  badges.   The  badges 
are  not  always  worn,  and  are  frequently  left  in  unsecured  areas.   When 
an  employee  quits,  no  procedures  ensure  that  these  identification  badges 
are  turned  in.   Numerous  employees  have  keys  to  the  Mitchell  Building, 
the  data  processing  center  and  the  computer  room.   No  procedures  exist 
to  ensure  that  keys  are  returned  when  an  employee  terminates. 

Division  personnel  in  charge  of  hiring  new  employees  stated  that  no 
background  checks  or  contacts  with  references  are  made  for  employees 
given  access  to  the  computer.   They  said  that  adequate  education  or 
experience  was  the  only  requirement  for  obtaining  employment. 

This  problem  emphasizes  the  serious  weakness  in  controlling  access 
to  the  computer  room  and  tape  library.   The  computer  mainframe,  excluding 
peripheral  equipment,  costs  over  $2.5  million.   Programs  and  data  stored 
in  the  tape  library  have  been  prepared  and  collected  at  significant  cost 
to  the  state.   Without  adequate  controls,  the  possibility  of  theft, 
vandalism,  and  unauthorized  access  to  information  is  significantly 
increased. 

The  division  should  establish  and  strictly  enforce  controls  which 
limit  access  to  only  authorized  employees.   The  first  step  should  simply 
require  that  doors  to  the  computer  room  and  the  production  control 
section  remain  locked  at  all  times.   Without  this  control,  additional 
security  measures  are  useless.   The  division  should  develop  a  check-in 
system  that  requires  all  employees  and  visitors  to  sign  in  and  out  of 
controlled  areas,  and  no  one  should  enter  a  controlled  area  without  an 
identification  badge  issued  by  the  division. 
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The  division  should  maintain  strict  accountability  over  identifica- 
tion badges  and  keys  to  controlled  areas.   In  addition,  locks  should  be 
changed  on  a  periodic  basis.   All  employees  who  have  access  to  controlled 
areas  should  receive  background  checks  and  references  should  be  contacted 
before  employment. 

Although  the  division  policy  does  require  some  security  measures, 
we  found  that  employees  were  unaware  of  them  or  failed  to  consider 
security  important.   The  division  should  review  security  measures  on  a 
frequent  basis  to  gain  assurance  that  security  policy  is  properly 
implemented. 

RECOmiENDATION 

We  recommend  that  the  Data  Prooessing  Division  periodically  test 
implementation  of  policies   limiting  access   to  restricted  areas. 
Separation  of  Duties 

The  Data  Processing  Division  has  not  established  adequate  separation 
of  duties  between  the  computer  room,  library  and  production  control 
section.   Operators  are  allowed  in  the  library  to  pull  test  tapes  which 
also  allows  access  to  unauthorized  information  and  files.   On  several 
occasions  when  the  computer  was  running  on  a  weekend,  we  found  only  one 
operator  and  no  personnel  in  the  production  control/library  section. 
The  operator  had  total  access  to  both  the  library  and  production  control. 

Individuals  having  access  to  the  computer,  computer  files,  and 
programs  have  an  open  vehicle  for  computer  abuse.   Abusive  acts  may 
include  destruction  of  files,  invasion  of  privacy,  malicious  alteration 
of  records,  embezzlement,  and  fraud.   An  effective  control  approach  is 
to  limit  access  to  the  above-described  resources. 
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There  should  be  a  segregation  of  duties  within  the  data  processing 
center.   The  library  should  not  be  accessible  to  computer  operating 
personnel.   Computer  operators  should  not  have  access  to  nor  should  they 
perform  production  control/library  functions.   This  ensures  that  the 
computer  operators  only  have  access  to  the  computer  files  in  accordance 
with  production  control  and  the  operating  schedule,  thereby  precluding 
unauthorized  computer  runs  and  changes  to  other  files. 

While  adequately  separating  duties  may  require  the  division  to  have 
someone  in  the  production  control  and  library  areas  whenever  the  computer 
is  in  use,  the  risks  and  possible  losses  involved  in  failing  to  adequately 
separate  duties  are  substantial.   As  the  division's  computer  facilities 
are  merged  with  those  of  the  Department  of  Highways,  computer  use  will 
increase  on  a  24-hour  basis.   At  that  time  an  additional  person  may  be 
required  in  the  production  control  and  library  areas  to  process  the 
heavier  work  load  as  well  as  to  provide  separation  of  duties. 

RECOMMSmATION 

We  recommend  that  the  Data  Processing  Division  establish  and 
enforce  a  segregation  of  duties  within  the  division. 
Disaster  Files 

Disaster  files  are  maintained  as  backup  for  original  files  in  case 
of  loss  or  destruction.   A  fire,  earthquake,  or  simply  an  accidental 
erasure  of  information  could  destroy  data  that  has  been  costly  to  collect. 
The  division  stores  its  disaster  files  in  a  locked  off-site  location. 

Our  review  disclosed  weaknesses  in  the  division's  policy  and  proce- 
dures for  preparing  disaster  files.   Some  key  state  systems  are  not 
backed  up  by  disaster  files,  and  some  disaster  files  were  not  routinely 
created  as  required  by  the  user.   The  division  does  not  prepare  disaster 
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files  for  the  central  payroll  system.   Division  officials  explained  that 
the  user  (central  payroll)  had  not  requested  the  preparation  of  disaster 
files.   Creation  and  storage  of  disaster  files  is  an  added  expense  to 
the  cost  of  running  programs,  and  users  must  request  that  this  information 
be  created  and  retained.   If  the  central  payroll  files  were  destroyed, 
the  division  would  be  required  to  keypunch  pay  information  on  each  state 
employee  and  "recreate"  the  payroll  files.   A  systems  analyst  estimated 
that  over  1,000  man-hours  would  be  required  to  keypunch  the  information. 
In  addition  to  the  added  expense,  this  creates  a  possibility  of  introducing 
errors  into  the  data. 

The  division  should  establish  minimum  criteria  for  preparation  of 
disaster  files.   Creation  and  retention  of  disaster  files  should  be 
included  in  the  estimates  provided  agencies  for  the  cost  of  any  system. 
This  policy  should  be  established  by  the  division,  since  they  have  the 
data  processing  expertise  and  are  aware  of  the  costs  of  reconstructing 
data.   Certainly  not  all  applications  require  disaster  files;  however, 
the  division  should  establish  minimum  standards  for  the  creation  of 
these  files. 

Several  disaster  files  for  the  Statewide  Budgeting  and  Accounting 
System  (SBAS)  were  not  created  during  fiscal  year  1975-76.   Division 
officials  explained  that  a  new  employee  was  not  aware  of  the  requirements 
for  disaster  file  creation.   Instructions  to  prepare  disaster  files  were 
passed  verbally  rather  than  using  a  production  work  order.   Disaster 
file  creation  should  be  a  routine  operation,  and  the  requirements  should 
be  documented.   The  division  should  ensure  that  controllers  receive 
written  instructions  regarding  the  production  of  disaster  files. 


-7- 


RECOMMENDATION 

We  recommend  that  the  Data  Processing  Division: 

1.  Encourage  users  with  critical  files  to  provide  adequate 
disaster  backup  and  file  retention. 

2.  Include  in  the  design  and  development  of  new  systems  the 
procedures  to  be  used  for  disaster  file  creation. 

Disaster  Plan 

The  division  has  not  prepared  a  disaster  plan  to  provide  assurance 
of  the  internal  operation  of  key  state  computer  programs.   A  disaster 
plan  should  provide  for  backup  computer  facilities;  lists  of  important 
applications  and  supporting  backup  and  recovery  plans  for  reestablishing 
service.   Employees  should  receive  assignments  which  indicate  their 
responsibilities  during  a  prolonged  equipment  failure  or  emergency. 

The  division  has  entered  into  formal  agreements  with  one  state 
agency  and  three  private  firms  to  provide  backup  computer  facilities  in 
case  of  prolonged  equipment  failure;  however,  the  division  tests  its 
programs  and  applications  on  the  alternate  state  system  only  once  a 
year.   These  systems  have  operated,  but  with  considerable  difficulty. 
Teleprocessing  systems,  those  which  are  on-line,  are  not  backed  up. 
Only  a  portion  of  the  teleprocessing  systems  could  be  operated  using 
batch  processing. 

The  division  plans  to  consolidate  its  computer  facilities  with  the 
state  agency  that  provides  the  backup  computer.   This  may  necessitate 
testing  of  a  non-state  backup  facility,  since  both  state  computers  would 
share  the  same  space. 

To  ensure  the  continued  operation  of  the  center,  the  division 
should  develop  a  formalized  disaster  plan.   This  plan  should  provide  for 


reestablishing  service  on  all  key  applications.   It  should  also  provide 
instructions  to  personnel  of  the  division  concerning  their  duties  in 
case  of  disaster. 

RECOMMENDATION 

We  recommend  that  the  Data  Processing  Division  develop  a  formal 
disaster  plan. 
Program  and  Control  Language  Security 

The  division  maintains  almost  all  operating  programs  at  the  data 
processing  center  on  computer  readable  disks.   These  disks,  the  control 
system  to  safeguard  this  information,  and  the  procedures  to  request  and 
use  specific  programs,  are  referred  to  as  the  Panvalet  library.   This 
library  system  allows  production  control  personnel  to  request  needed 
programs  and  allows  programmers  to  call  up  programs  for  testing  or 
updating.   Updating  and  modifying  a  program  can  be  done  at  the  data 
processing  center  with  punched  cards  or  at  one  of  several  remote  job 
entry  terminals.   Our  review  determined  that  control  over  this  library 
system  is  inadequate.   A  person  with  a  basic  knowledge  of  the  state's 
data  processing  facilities  and  access  to  a  remote  entry  terminal  could 
modify  a  program  without  detection. 

The  library  system  contains  procedures  to  deter  unauthorized  modifica- 
tion; however,  these  are  not  used  by  the  division.   The  division  can 
place  programs  in  either  a  test  or  a  production  status.   In  production 
status,  the  programs  cannot  be  modified  except  through  an  involved  pro- 
cedure.  In  test  status,  programs  are  easily  modified.   Of  141  programs 
for  running  the  Statewide  Budgeting  and  Accounting  System  and  87  programs 
for  the  central  payroll  system,  only  two  were  in  production  status. 
While  placing  a  program  in  production  status  does  not  prevent  modification, 
it  does  provide  additional  safeguards  for  the  program. 
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A  second  library  at  the  data  processing  center  contains  job  control 
language  (JCL) .   This  language  contains  instructions  to  the  computer  for 
executing  a  specific  program  or  procedure.   The  JCL  contains  the  names 
of  various  programs  and  instructs  the  computer  to  execute  those  programs 
in  a  specific  order.   This  library  has  no  protection  and  could  be  easily 
modified.   Altering  the  job  control  language  for  certain  programs  could 
produce  serious  consequences.   A  programmer  could  request  that  the 
computer  execute  an  invalid  program  in  place  of  the  scheduled  program. 

Both  the  Panvalet  library  and  the  JCL  library  should  be  protected 
against  unauthorized  modifications.   The  degree  of  security  required 
should  depend  upon  the  potential  for  loss  or  the  consequences  of  unauthor- 
ized changes  in  certain  programs.   Since  additional  security  costs  money 
and  employee  time,  the  division  should  carefully  review  with  the  user 
the  security  requirements  of  each  system. 

The  responsibility  for  adequate  security  should  also  be  shared  by 
the  system  user  and  the  division.   Presently,  the  primary  responsibility 
to  ensure  that  systems  are  adequately  secured  rests  with  the  user. 
Security  represents  an  additional  expense  to  the  cost  of  running  a 
program.   A  system  user,  in  an  attempt  to  save  money,  may  not  request 
adequate  security.   The  division  should  establish  criteria  for  various 
levels  of  security  to  ensure  that  adequate  security  is  part  of  any 
system. 

Placing  all  production  operating  programs  in  the  Panvalet  library 
in  production  status  would  significantly  increase  security  since  it  is 
difficult  to  alter  a  program  that  is  in  production  status.   The  division 
could  assign  additional  security,  such  as  a  password  system,  to  the 
programs  which  have  the  greatest  risk  of  loss.   The  JCL  library  currently 
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has  no  protection,  and  the  division  should  implement  similar  security 
measures  for  it. 

RECOMMENDATION 

We  reoommend  that  the  Data  Processing  Division: 

1.  Strengthen  and  doawment  prooednres  for  accessing  of 
programs  and  processing   libraries, 

2.  Develop  security  measures  to  protect  the  JCL   library. 

3.  Establish  security  requirements  which  system  users  must 
comply  with. 

Program  Documentation 

Program  documentation  includes  flowcharts,  operating  procedures, 
user  procedures  and  other  information  necessary  to  understand  the  acti- 
vities of  a  program.   The  division's  Manual  of  Standards  specifies 
requirements  which  must  be  met  to  both  control  and  document  changes  to 
production  programs.   We  found  that  the  division's  standards  of  documenta- 
tion are  generally  adequate;  however,  some  controls  and  procedures  were 
not  carried  out  in  actual  practice. 

One  significantly  weak  area  was  the  procedure  to  document  changes 
in  programs.   Frequent  changes  were  made  to  programs  without  written 
approval  of  the  systems  analyst  or  program  user.   Also,  control  over 
forms  used  to  authorize  program  changes  was  not  adequate. 

We  reviewed  a  selection  of  program  change  requests  between  July 
1975  and  March  1976  for  the  Statewide  Budgeting  and  Accounting  System 
(SBAS)  and  the  central  payroll  system.   For  SBAS,  only  six  out  of  47 
were  approved  by  the  analyst  and  none  were  signed  by  the  user.   For 
central  payroll  27  out  of  41  were  signed  by  the  analyst  and  only  one  was 
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signed  by  the  user.   The  division  did  not  use  prenumbered  forms  or 
control  the  forms  using  check- in  logs.   Blank  forms  are  available  in  the 
operations  area.   Some  program  change  requests  were  not  filed  with 
program  documentation. 

Failure  to  initial  program  change  requests  increases  the  possibil- 
ity of  unauthorized  modifications  or  manipulation  to  the  state's  computer 
programs  and  increases  the  potential  for  processing  inaccuracies. 
Failure  to  require  authorization  and  to  control  the  use  of  these  forms 
would  permit  one  employee  to  modify  a  program  without  detection. 
Requiring  both  the  user  and  the  systems  analyst  to  sign  these  forms 
establishes  a  control  to  prevent  unauthorized  modification. 

Since  the  division  has  established  documentation  procedures  in  its 
Manual  of  Standards,  this  problem  can  be  corrected  by  enforcing  these 
standards. 

RECOMMEmATIOl^ 

We  recorrmend  that  the  Data  Processing  Division  enforce  documentation 
standards  by  controlling  the  use  of  program  change  requests  and 
requiring  the  signatures  of  both  the  user  and  the  systems  analyst 
on  these  forms. 
STATEWIDE  i3UDGETING  AND  ACCOUNTING  SYSTEM 

The  Accounting  Division  of  the  Department  of  Administration  operates 
the  Statewide  Budgeting  and  Accounting  System.   In  addition,  the  division 
pre-audits  selected  documents,  distributes  monthly  reports,  prepares  a 
comprehensive  annual  report  and  provides  technical  accounting  services 
to  all  state  agencies.   The  division  processes  thousands  of  documents, 
resulting  in  millions  of  transactions  each  year.   Our  review  of  the 
Statewide  Budgeting  and  Accounting  System  included  some  functions  performed 
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by  the  Accounting  Division,  such  as  the  pre-audit  function  and  account 
reconciliation  and  other  functions  performed  by  the  Data  Processing 
Division.   The  functions  of  both  divisions  are  closely  allied  in  the 
operation  of  the  Statewide  Budgeting  and  Accounting  System.   Implementing 
certain  of  the  following  recommendations  will  require  cooperation  of 
both  divisions. 

Pre-Audit  of  SBAS  Transactions 

The  Accounting  Division  performs  certain  pre-audit  functions 
on  accounting  documents  submitted  for  processing.   Upon  receipt,  all 
documents  are  reviewed  to  ensure  that  they  are  signed.   The  administrator 
reviews  all  documents  establishing  appropriation  authority.   Staff 
accountants  review  all  journal  vouchers  and  correction  documents.   Other 
staff  review  various  documents  on  a  test  basis. 

The  Accounting  Division  has  no  standards  by  which  to  evaluate  the 
effectiveness  of  the  pre-audit  function.   Section  82-109.2,  R.C.M.  1947, 
states  that  the  Department  of  Administration  may  pre-audit  claims  against 
the  state  to  ascertain  if  the  proper  authorizing  signature  is  present; 
if  the  claim  and  supporting  documents  are  mathematically  and  clerically 
accurate;  that  the  proper  appropriation  and  fund  is  charged;  and  that 
the  expenditure  is  legal.   The  Accounting  Division  keeps  no  records  to 
determine  the  necessity  or  effectiveness  of  the  pre-audit  function. 

Presently,  the  type  of  transaction  or  document  reviewed  is  arbitrarily 
selected.   Employees  will  test  a  certain  item  for  a  period  of  time,  then 
select  a  different  attribute  for  review.   The  division  keeps  no  records 
indicating  the  type  or  frequency  of  certain  types  of  errors.   Without 
this  information,  the  division  cannot  evaluate  the  effectiveness  of  the 
pre-auditing  or  determine  problem  areas  which  deserve  additional  attention. 
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For  example,  the  employee  who  reviews  travel  claims  stated  that  she 
finds  three  or  four  errors  daily.   We  selected  two  batches  of  20  travel 
claims  for  review  after  they  had  been  pre-audited  and  found  four  errors 
in  one  batch  and  two  in  the  other.   The  employee  who  pre-audits  travel 
claims  reviews  a  large  number  of  claims  each  day.   The  small  number  of 
errors  that  she  finds  is  an  indication  that  the  pre-audit  function  may 
not  be  effective. 

RECOMMENDATION 

We  recommend  that  the  Department  of  Administration  evaluate  the 
effectiveness  of  the  pre-audit  function. 
Signature  Cards 

The  Accounting  Division  maintains  a  signature  card  file  in  order  to 
insure  that  signatures  on  accounting  documents  are  valid.   Not  all 
documents  are  reviewed;  however,  division  employees  stated  that  signatures 
are  reviewed  on  a  test  basis.   Although  the  signature  card  file  is 
updated  annually,  changes  in  agency  staff  during  the  year  are  not  always 
recorded.   A  review  of  documents  for  authorized  signatures  provides 
assurance  that  only  claims  approved  by  the  agency  are  processed. 

RECOMMENDATION 

We  recommend  that  the  Accounting  Division  continually  update  the 
signature  files. 
Reconciliation  of  Warrants  Issued 

The  accounting  document  which  creates  all  state  warrants  is  the 
transfer  warrant  claim.   These  documents  are  processed  by  the  Accounting 
Division,  and  a  computer  tape  is  created  for  the  State  Auditor's  Office. 
This  tape  prints  state  warrants  which  are  distributed  by  the  State 
Auditor.   Each  day,  an  Accounting  Division  employee  reconciles  the 
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dollar  amount  of  warrants  issued  to  the  dollar  amount  of  transfer  warrant 
claims  processed.   Some  adjustments  to  account  for  emergency  warrants, 
rejected  documents  and  timing  differences  are  usually  required  to  recon- 
cile these  amounts. 

The  proper  reconciliation  of  these  amounts  is  a  key  control  feature 
of  the  state  accounting  system,  since  it  assures  that  warrants  are 
issued  only  for  authorized  state  expenditures.   We  found  several  problems 
in  the  reconciliation  process. 

At  year  end,  the  reconciliation  is  not  performed  for  several  weeks. 
The  state  accounting  system  is  unable  to  process  the  next  year's  trans- 
actions until  the  prior  year's  books  are  closed.   During  this  period 
special  procedures  are  used  to  prepare  state  warrants.   The  Accounting 
Division  loses  assurance  that  warrants  are  issued  only  to  support  valid 
claims. 

The  Data  Processing  Division  performs  a  similar  type  reconciliation 
on  a  daily  basis  before  warrants  are  printed;  however,  it  does  not 
replace  the  reconciliation  prepared  by  the  Accounting  Division.   Errors 
can  occur  which  the  Data  Processing  Division's  procedures  cannot  detect. 

We  also  found  that  reconciliations  are  not  reviewed  by  supervisory 
employees  at  the  Accounting  Division.   During  sample  testing,  we  found 
that  one  reconciliation  was  incorrectly  prepared  and  was  mathematically 
incorrect.   Due  to  the  importance  of  this  reconciliation,  it  should  be 
reviewed  to  ensure  it  has  been  correctly  completed. 
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RECOMMENDATION 

We  reoorrmend  that  the  Accounting  Division: 

1.  Prepare  a  reconciliation  of  claims  processed  and  warrants 
issued  on  a  dnily  basis. 

2.  Provide  supervisory  review  of  the  reconciliation. 
User  Control  Over  SBAS  Processing 

Although  input  controls  established  by  the  Accounting  Division  are 
adequate  to  ensure  that  all  data  received  is  subsequently  processed, 
there  is  no  assurance  that  all  data  submitted  by  the  agency  is  subse- 
quently received  or  processed  by  the  Accounting  Division.   The  only 
assurance  is  a  manual  reconciliation  procedure  at  each  agency.   The 
quality  of  this  reconciliation  process  varies  significantly  between 
agencies. 

Present  input  controls  involve  batch  processing  procedures  estab- 
lished at  the  Accounting  Division.   To  gain  assurance  that  all  data 
processed  by  agencies  is  received  and  processed,  the  Accounting  Division 
should  alter  the  batch  and  edit  routines  to  allow  controlling  source 
documents  at  the  high  volume  user  agencies.   These  agencies  should  also 
have  responsibility  for  maintenance  of  overall  system  control  totals. 

Thes^  controls  should  be  documented  on  an  overall  controls  spread 
sheet  which  can  be  computer  generated;  however,  some  manual  balancing 
would  be  required  to  verify  that  computer  totals  are  the  same  as  manually 
prepared  totals.   The  following  totals  might  be  included  in  the  overall 
control  total: 

— New  input  as  accumulated  in  batches  by  the  originating  agency. 
— Previously  rejected  data  which  has  been  corrected  and  reentered. 
— Previously  rejected  data  which  has  not  been  corrected. 
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— Rejected  data  from  current  processing. 
— Prior  day's  ending  general  ledger  balances. 

— Current  ending  general  ledger  balances  manually  calculated  from  the 
above  information. 

The  type  of  error  that  these  procedures  are  designed  to  detect  is 
illustrated  in  a  letter  from  Montana  State  University  to  the  Office  of 
the  Commissioner  of  Higher  Education.   In  that  letter,  the  assistant 
controller  noted  that  a  February  1977  transaction  tape  from  the  university 
to  the  Accounting  Division  had  not  been  processed.   Over  400  payments  to 
vendors  supplying  goods  and  services  to  the  state  had  payments  delayed 
for  over  two  weeks  and  an  additional  $450,000  in  transactions  were  not 
posted.   Reconciliation  procedures  at  the  university  discovered  the 
omission. 

RECOMMEND AT ION 

We  reoommend  that  the  Department  of  Advinistration  alter  procedures 
to  allow  for  batching  and  controlling  of  source  documents  by 
high  volume  user  agencies. 
Rejected  Transactions 

If  an  entire  batch  of  transactions  is  out  of  balance  or  does  not 
pass  a  validation  check,  the  batch  is  rejected.   Batches  are  listed  on  a 
rejected  document  report  and  automatically  stored  on  a  diskette  for 
correction  and  reentry.   Individual  transactions  are  also  listed  on  a 
rejected  document  report;  however,  individual  transactions  are  not 
transferred  to  diskette,  and  they  effectively  leave  the  system.  \^en 
the  transaction  is  corrected  it  must  be  completely  reentered.   There  are 
no  manual  procedures  to  ensure  that  all  rejected  transactions  are  reentered, 
Also,  the  possibility  exists  that  another  error  could  be  made  that  would 
cause  the  transaction  to  be  rejected  again. 
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Rejected  transactions  should  automatically  be  transferred  to  diskette. 
This  would  provide  control  over  the  correction  process  by  assuring  that 
all  transactions  are  reentered.   This  procedure  would  also  simplify  the 
correction  process,  since  the  entire  transaction  will  not  have  to  be 
reentered. 

RECOMMEWATION 

We  recommend  that  the  Department  of  Administration  transfer 
rejected  transactions  to  a  diskette. 
Year-End  Processing 

At  year-end,  the  Statewide  Budgeting  and  Accounting  System  is 
unable  to  process  the  next  year's  accounting  transactions  until  the 
prior  year's  books  are  closed.   At  the  end  of  the  1976  fiscal  year,  the 
books  were  kept  open  until  July  23,  1976.   Fiscal  year  1977  transactions 
could  not  be  processed  until  July  26,  1976.   Special  warrant  processing 
procedures  were  implemented  during  this  period.   Current  year  claims  are 
not  completely  processed  through  the  accounting  system,  and  only  enough 
information  is  extracted  to  print  a  warrant.   The  Statewide  Budgeting 
and  Accounting  System  should  be  modified  to  permit  processing  of  transac- 
tions from  two  fiscal  years.   This  would  provide  for  better  control  ov/er 
year-end  processing  and  preclude  the  need  for  special  warrant  processing 
procedures  at  year-end. 

REC0!4MEmATI0N 

We  recommend  that  the  Department  of  Administration  modify  the 
Statewide  Budgeting  and  Accounting  System  to  permit  processing 
of  transactions  from  two  fiscal  years. 
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Duplicate  Batch  Warning  Report 

A  control  feature  of  SBAS  is  production  of  a  batch  control  warning 
report.   This  report  lists  all  occurrences  of  duplicate  batch  numbers 
for  each  form  code.   The  report  helps  prevent  double  processing  of  the 
same  batch  of  transactions.   The  batch  number  is  only  a  two-digit  field, 
however,  and  duplicates  occur  when  more  than  99  batches  are  processed. 
Since  some  duplicate  numbers  are  expected,  the  warning  messages  on  the 
report  are  sometimes  ignored.   Procedures  should  be  used  to  ensure  that 
only  batches  processed  twice  show  up  on  the  warning  report. 

RECOmKNDATION 

We  veaommend  that  the  Department  of  Administration  develop  procedures 
to  provide  unique  batch  identification  for  SBAS  processing. 
General  Ledger  Reconciliation 

At  month-end  an  automated  procedure  reconciles  SBAS  subsidiary 
ledgers  to  the  general  ledger.   A  report  is  produced  that  the  input/ 
output  controller  uses  to  ensure  that  files  are  in  balance.   The  report 
is  not  retained,  and  any  corrections  made  are  not  documented. 

.RECOMmNDATION 

We  recommend  that  the  Department  of  Administration  retain  the 

above-described  reconciliation  and  document  any  corrections  made. 
Special  Correcting  Entries 

Certain  types  of  errors  can  occur  in  the  Statewide  Budgeting  and 
Accounting  System  which  cannot  be  corrected  through  normal  procedures. 
One  document,  called  a  "Notice  of  Transaction  Correction"  bypasses  most 
edits  and  can  correct  most  errors;  however,  certain  correcting  entries 
cannot  pass  the  validation  controls.   In  these  cases,  a  special  computer 
program  is  used  to  modify  a  file.   These  changes  are  not  fully  documented, 
and  some  are  made  without  any  documentation. 
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These  corrections  can  involve  changing  the  balance  of  an  asset, 
such  as  cash,  where  only  the  people  Involved  are  aware  of  the  reason  for 
the  change.   The  fact  that  these  changes  can  be  made  when  authorized 
also  indicates  that  changes  for  which  there  is  no  documentation  can  be 
made  without  authorization.   Changes  should  be  made  directly  to  the 
files  only  when  authorized  by  the  director  of  the  department  and  when 
fully  documented. 

RECOMMENDATION 

J/e  recommend  that  the  Department  of  Administration  make  changes 
directly   to  SBAS  files  only  when  authorized  by  the  director  of 
the  department  and  when  fully  documented. 
CENTRAL  PAYROLL 

The  Central  Payroll  Division,  under  the  State  Auditor's  Office,  is 
responsible  for  installing  and  operating  a  uniform  payroll  system  for 
state  government.   The  division  processes  payroll  information  for  all 
state  agencies,  except  university  units.   The  division  employs  six  full- 
time  employees  and  had  expenditures  during  fiscal  year  1975-76  of  $183,000, 
Changes  to  Master  Files 

The  Central  Payroll  Division  uses  a  "Revise  Program"  to  make  four 
types  of  cuanges  to  the  payroll  master  files.   These  are: 

1.  Remove  deductions. 

2.  Adjust  earning  amounts  for  individual  employees. 

3.  Change  employee  agency,  location  or  social  security  number. 

4.  Delete  employees  removed  from  the  master  file. 

The  "Revise  Program"  is  a  very  powerful  program,  since  it  allows 
changes  to  the  master  file  without  first  going  through  the  normal  biweekly 
validate  and  update.   Although  the  Central  Payroll  Division  maintains  an 
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audit  trail  when  using  this  program,  the  nature  of  these  changes  requires 
that  they  receive  the  greatest  visibility.   The  need  for  this  type  of 
program  is  an  indication  of  poor  system  design,  and  its  use  should  be 
subject  to  the  most  stringent  controls. 

As  discussed  earlier  in  our  report,  control  over  access  to  programs 
and  data  files  in  storage  is  not  adequate.   Initial  control  could  be 
established  by  the  use  of  passwords  to  access  data  files  and  programs. 
Unauthorized  access  attempts  could  be  reported  to  and  reviewed  by  the 
Central  Payroll  Division.   The  "Revise  Program''  should  only  be  used 
based  upon  a  written  request  from  the  Central  Payroll  Division.   The 
request,  plus  all  source  documents  and  output  reports,  should  be  retained 
by  the  division.   Copies  of  output  reports  should  be  given  to  all  agencies 
affected  by  the  changes. 

RECOMMENDATION 

We  reoommend  that  the  Central  Payroll  Division: 

1.  Place  strict  controls  over  use  of  the   "Revise  Program" 
and  payroll  data  files. 

2.  Provide  output  reports  to  all  agencies  affected  by  the 
use  of  the   "Revise  Program.  " 

Compatibility  With  the  Statewide  Budgeting  and  Accounting  System 

The  Central  Payroll  Division  and  the  Statewide  Budgeting  and  Account- 
ing System  (SBAS)  are  separate  systems  operated  by  different  state 
agencies.   The  State  Auditor  is  responsible  for  the  Central  Payroll 
Division.   Payroll  transactions  are  posted  to  SBAS  on  a  biweekly  basis 
through  computer-generated  documents  from  Central  Payroll  Division 
records  to  the  SBAS.   The  Department  of  Administration  is  responsible 
for  the  SBAS.   The  two  systems  are  not  entirely  compatible. 
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The  Statewide  Budgeting  and  Accounting  System  permits  cost  accounting 
for  up  to  five  levels  within  a  program.   Many  large  agencies  and  institu- 
tions require  all  five  levels  in  order  to  provide  adequate  cost  informa- 
tion to  various  levels  of  management.   The  central  payroll  system  allows 
for  only  three  cost  or  subprogram  levels  within  an  agency.   Those  agencies 
using  the  fourth  or  fifth  program  levels  must  prepare  a  journal  voucher 
to  post  this  information. 

The  central  payroll  system  also  does  not  provide  for  posting  changes 
to  a  subsidiary  ledger.   These  ledgers  provide  detail  of  information  in 
certain  general  ledger  accounts.   Currently,  payroll  transactions  must 
be  processed  through  a  special  program  to  add  subsidiary  detail  numbers. 
In  order  to  make  the  two  systems  more  compatible,  the  Central  Payroll 
Division  should  expand  the  capability  of  the  system  to  permit  use  of 
five  levels  within  a  program  and  add  the  capability  of  using  subsidiary 
detail  numbers. 

RECOMMENDATION 

We  recommend  that  the  Central  Payroll  Division  modify  the  payroll 
system  to  make  it  more  compatible  with  the  Statewide  Budgeting 
and  Accounting  System. 
FINAL  COM^IZNTS 

We  have  discussed  this  report  with  the  Director  of  the  Department 
of  Administration  and  his  staff,  and,  where  applicable,  the  Deputy  State 
Auditor  and  his  staff.   The  full  texts  of  their  written  responses  to 
this  report  begin  on  page  23. 

We  wish  to  express  our  appreciation  to  these  officials  and  their 
respective  staffs  for  cooperation  and  assistance  during  the  audit. 
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AGENCY   REPLIES 


THOMAS  L.  JUDGE    Goven 


H  Di'iii^A  iiTi>:i  i'"..^"ir  OIF-  ^'\iiZ):>an.xii.^TJi.^Tict])ri' 

I)iim:<  Toifs  ori'K  !•; 

MIT<  IIKI.I,    Hril.DIVCi 
HKI,i;.\A.    MONTANA    r>".M>(»l 


August  30,  1977 


Mr.  Morris  L.  Brusett 

Legislative  Auditor 

Room  135 

State  Capitol  ^ 

Helena,  Montana   59601  ■  " 

Dear  Mr.  Brusett: 

In  accordance  with  your  request,  we  submit  the  following 
response  to  the  recommendations  included  in  the  audit  of  the  Data 
Processing  Division  and  selected  applications: 

R^commzndation  -  page.   3 

We  fLe.comme.nd  that  the  Data  PA.oceA6-ing  VivLi^on  update,  the. 
15-cAe  control  p>io(ie,duJieyi>  and  Inionm  aUL  emptoije,eJi  oi 
theAe.  ptoceduAeA . 

We   concur. 

Re.comimndatLon  -  page.  5 

We  fLe.commznd  that  the.  Data  Pn.oc.e^'Sitng  V-Lvt^ton  peAlodlcaZty 
tej>t  tmpleme.ntation  o^  poticteA  JUmitlng  acceAit  to  ^e^tfvLcted 
oAeju. 

A  periodic   test  will   be   implemented. 

Re.commtndatlon  -  page.  6 

We  fizcomrmnd  that  the,  Vata  PKoaeA6-ing  Vtvtiton  eJitabtU>h  and 
tn^ofice.  a  i,zg>ie.gatA,on  oi  dvutieA  wtthin  the,  du.vAJ:>ton. 

We  concur.  This  will  be  taken  into  consideration  in  the 
recently   initiated   reorganization   of    the   Division. 

Re.commendatA.on  -  page  8 

We  fizcomme.nd  that  the  data  Pfioce^iitng  VtvA^^ton: 

/.     EncouAage  iuieAA  M-Lth  cAiZicaJL  {,-lZeA  to  pfiovtde 
ade,qujOLte.  da>a{,teA  backup  and  itte  n.eX.e.yvtLon . 
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We   concur.      This   division  makes   recommendations  with  respect 
to  disaster   files   as   a  matter  of    course.      These  procedures   are  quite 
often  costly   and  users   are   therefore   reluctant    to    implement    them. 

2.     Jnctude.  -in  thz  deJ>ign  and  dzveZopmdnt  o{,  now  6y6tejtru> 
tht  pfiodtduAU  to  bz  uAtd  ion.  dti^cuteA  {^iZd  ctaxution. 

We   concur.      Standard  methods    for  handling  disaster    files 
are  currently  being  created  within   the   Standards  Program. 

Rzcomme.ndatlon  -  page.  9 

We  ^.tcormund  tiiat  tko,  VaXa  VfLOCZ^S-ing  Vlvli-ion  dovoJiop  a 
{^oKmaZ  dAJ>ai>teA  pZan. 

We   concur. 

Rzcommz.ndatA.on  -  page  7  7 

We  fLZZommznd  thaX.  tkz  Vata  ?fiozzA^i.ng  Vtvti-Lon'- 

1 .     St/Lzngtkzn  and  docamznt.  pftoczduAZA   ion.  acczM-ing 
oi  pKognnm  and  pn.ocz^^tng  tLbn.aJtiej> . 

1.     Vzvztop  6zcuAjJ:y  mza6un.z6  to  pKotzct  thz  JCL  LibnaAy. 

3.     E6tablAJ>k  6ZcuJilty  n.zquAAzmznt6  u)htch  iy^tzm  uJtZJiM 
mtuit  compZy  M-ith. 

More   formalized  and  better   controlled   standardized  procedures 
in    the  areas   of    catalog  program  storage  and  production  job   control 
language   are   currently  planned  by   the   Information   Systems   Division. 

Rzc.ommzndatyion  -  pagz  72 

We  n.zzommznd  that  tkz  Vata  ?n.ozzi>&lng  Vtviiton  znion.cz 
documzn.tatA.on  ^tandoAdi  by  contAottlng  tkz  uAz  o^  pn.ognam 
ckangz  n.zquz6ti>  and  n.zqaAjU.ng  tkz  ^Zgnatu/izA  oi  both  tkz 
uJiZn.  and  thz  6y-i>tzm6  anaJLy&t  on  tkzJiZ  ionmi. 

We  concur.   Change  request  procedures  are  currently  under 
development.   The  forthcoming  procedures  will  complement  our  program 
change  request  log  (which  has  significantly  improved  since  the  audit 
was  performed).   The  change  request  procedures  are  covered  in  Phase  IX 
of  the  system  development  guide  being  examined  by  the  Standards  Review 
Committee. 
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Rzaommiindcution  -  pagz  14 

We  n.zcomme.nd  that  the.  VepoAtmunt  oi  kdmA.viii,tn.oution  evaluate, 
thz  z^^cXive.nU-i>   o/j  i/ie  pfi2.-audlt  (^unction. 

We  basically  agree.   However,  it  must  be  noted  that  although 
the  pre-audit  will  normally  discover  a  few  errors,  the  important  question 
is  how  many  will  it  deter.   In  essence,  because  statistics  can  only  be 
compiled  based  upon  knowledge  of  the  known  errors,  the  total  overall 
effectiveness  of  the  pre-audit  function  should  be  evalued  based  upon 
the  statistics. 

At  this  time,  the  Governmental  Accounting  Policy  Council  is 
considering  the  pre-audit  function  in  conjunction  with  the  question 
of  centralized  or  decentralized  SBAS  input  document  flow.   Their 
decision  on  this  matter  will  have  a  significant  impact  on  the  above 
recommendation . 

Rzcormtndation  -  pciQZ  14 

We  fL2.cormznd  that  the.  Accounting  Vtv-Uton  continualZy  update, 
the  6tgnatu/ie  {jtZeA . 

We  concur. 

Re.corme.ndatA.on  -  page  16 

We  fiecommznd  that  the  Accounting  Viv-u-ion: 

1.  Vfie.paJie  a  neconcAJUxvtion  oi  cIoajm,  pfioce^^ed  and 
MWuxyvU  AJiiiue-d  on  a  doUZy  bcUiLb. 

2.  Pfiovtde.  i>upeAvAj>ony  fie.vi.eiti  o{^  the  fieconcAJU.ati.on. 
We   concur. 

Rzcomme.ndaXA.on  -  page  17 

We  ficcormend  that  the  Vepa/vtmznt  o{^  AdminUtAotion  oZZeA 
pfiocediifieA)  to  aJitow  the.  batcking  and  contfioZling  o{,  -iouAce 
documents  by  hA.gh  volume  u&eA  agencies. 

It   is   our  opinion   that   such  a  document   control   system  would 
be   expensive   and   could   result   in  numerous   operational   difficulties. 
Therefore,   we  must   disagree.      The  Accounting   Division  presently 
provides   a  printout  of   all   activity   captured    for   a  given   agency   in   the 
previous  night's   run.      If  properly  used,    this   report   can  satisfy   the 
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controlling  needs  of  most  agencies.   The  printout  is  optional  and, 
unfortunately,  less  than  half  of  the  user  agencies  elect  to  receive 
it.   As  for  the  letter  from  MSU,  sufficient  controls  have  been 
instituted  to  allow  the  Accounting  Division  complete  assurance  that 
the  type  of  omission  mentioned  will  never  happen  again.   In  the  future, 
providing  that  cost  justification  is  present,  we  may  have  a  complete 
on-line  rejected  document  and  reentery  system,  with  queue  monitoring 
ability.   Also,  a  temporary  manual  system  can  be  utilized  to  satisfy 
the  needs  of  the  University  Units  submitting  mechanical  data.   But 
for  now,  our  present  system  is  adequate,  while  the  proposed  system 
is  much  too  sophisticated  and  costly  for  the  State's  needs. 

Re.comme.ndaJxon  -  pagd  IS 

We  n.zcommtnd  that  thz.  VtpaAtrmnt  o{j  Admint^tAxxtton  tA/iyu,{^eA 
fL^jtctzd  tnjxyu, actio n6  to  adoike^tte.. 

We  concur. 

Re.cormmndation  -  paqo,   IS 

We.  recommend  thaX  thz  VzpaAtmzYVt  o{^  Admtnl6t/uitLon  modHiij 
the.  Stateuitde.    BadgeXtng  and  AccounttnQ  System  to  peJunct 
pfioczMytviQ  oi  tAamacttoM   ^fwrn  tiMo  {,Aj>cal  t/eaA6. 

We   agree.    This   recommendation  has   been  under   consideration 
by  us    for   a  number  of  years.      The   conversion   is   costly   and   the   develop- 
ment of   such  a   system  is   quite   complex.      The   question  of    "concurrent 
year  processing"   is    to  be   evaluated  by   the   Governmental  Accounting 
Policy   Council   and,    if    funds   are   available,    it  will  be   implemented   as 
soon  as      possible. 

Re.conme,ndatlon  -  page.  79 

We  fizcormznd  that  the.  Ve.panXme.nt  oi  AdmlnAj,tnwUx)n  dzveZop 
pfioce-duJieA  to  pfwvtde.  unique,  batch  ide.nti{jication  (^on. 
SBAS  pfioceMiiing. 

We   concur. 

Re.CQmme,ndati.on  -  page.  7  9 

We  fizcomrmnd  that  the.  Ve.paAtme.nt  o^  AdminiAtARtion  fieXal.n 
the.  above.- de^cnlbcd  fie.concLUjition  and  document  any 
conM.e.ction{>  made.. 

We  concur  and  this  procedure  has  been  implemented. 
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Rdcommdndcutxon  -  pagg.  20 

We  Ktcommdnd  that  tkz  Vn-poAimznt  oi  Admlnl&tAjdtion  make, 
ckangu  dAJitcXly  to  SEAS  ^ilu  only  Mkm  authofvizzd  by 
the.  doizcton.  o^  the.  depcULtrntnt,  and  iA)he.n  iuZty  documznte.d. 

We   concur. 

Sincerely, 


'^-JcX^^    (^  ^M->^ll 


lack   C.    Grosser 
Director 


JCC:dr 
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<iffh:e  of 

K.  V.  "Sonny"  OMIIOLT 

STATE  AliniTOK 

COMMISSIONER   OF    INSURANCE 
INVESTMENT   COMMISSIONER 
CENTRAL    PAYROLL    SYSTEM 

nELi-:NA.,Mc)NrAN^v  59001 


August  29,  1977 


Mr,  Morris  L.  Brusett 

Legislative  Auditor 

Office  of  the  Legislative  Auditor 

State  Capitol 

Helena,  Montana  59601 

Dear  Mr.  Brusett: 

Attached  are  written  comments  to  that  portion  of  the  audit  report  of  the 
Department  of  Administration,  Data  Processing  Division,  which  addresses 
three  recommendations  to  the  Central  Payroll  Division. 

Please  be  advised  that  we  feel  it  is  necessary  to  retain  the  copy  of  your 
audit  report  for  our  files  as  support  documentation  for  our  reply. 


Sincerely, 

E.  V.  "SONNY"  OMHOLT 
State  Auditor  &  Ex  Officio 
Commissioner  of  Insurance 

B.:     .%^^-^^' 

Kathleen  M.    Behm,  \Administrator 
Central  Payroll  Division 

Attach 

cc:      Mr.    E.    V.    "Sonny"   Omholt 
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THE  INSURANCE  AND  INVESTMENT  DEPARTMENTS  WERE  CREATED  FOR  THE  PROTECTION  OF 
THE  CITIZENS  OF  MONTANA.     USE  THEM! 


RECOMMENDATION 

We  recommend  that  the  Central  Payroll  Division: 

1.  Flaoe  strict  controls  over  use  of  the   "Revise  Program"  and  payroll 
data  files. 

2.  Provide  output  reports   to  all  agencies  affected  by  the  use  of  the 
"Revise  Program.  " 

We  concur  with  the  recommendation  to,  "Place  strict  controls 
over  use  of  the  'Revise  Program'  and  payroll  data  files."   Moreover, 
it  is  our  intention  to  place  rigid  controls  over  access  to  all  the 
programs  and  data  files  of  the  payroll  system  at  the  earliest 
possible  time.   However,  we  cannot  agree  with  the  discussion  that 
the  need  for  the  "Revise  Program"  is  an  indication  of  poor  system 
design.   The  use  of  this  program  has  provided  the  payroll  system 
with  flexibility  and  economical  operation.   The  "Revise  Program" 
is  and  has  always  been  used  upon  request  of  the  Central  Payroll 
Division  along  with  the  appropriate  input  data  for  the  change  to 
the  master  file  indicated  by  the  Agency  documents. 

We  also   concur  with  the  recommendation  to,  "Provide  output 
reports  to  all  agencies  affected  by  the  use  of  the  'Revise  Program'. 
This  recommendation  will  be  implemented  as  soon  as  possible. 


RECOMMEmATION 

We  recommend  that  the  Central  Payroll  Division  modify  the  payroll  system  to  make 
it  more  compatible  with  the  Statewide  Budgeting  and  Accounting  System. 

We  agree  that  the  Central  Payroll  Division  modify  the  payroll 
system  to  make  it  more  compatible  with  the  Statewide  Budgeting  and 
Accounting  System.   A  system  modification  is  in  progress  at  this 
time  to  include  program  levels  four  and  five  of  the  Statewide 
Budgeting  and  Accounting  System.   However,  a  major  and  cost  software 
revision  to  the  payroll  system  would  be  needed  to  permit  the  use  of 
subsidiary  detail  numbers.   This  expansion  of  the  capability  of  the 
payroll  system  will  be  addressed  in  conjunction  with  the  development 
of  an  integrated  Payroll-Personnel  System  for  the  State  of  Montana. 


/ 
/ 

/ 
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